RPKI, or Resource Public Key Infrastructure, is one of the most important routing security technologies used on today’s Internet. It helps IP resource holders prove which Autonomous System is authorized to originate their IP prefixes, reducing the risk of unauthorized BGP announcements, route hijacks, and accidental routing failures.
The Internet depends on thousands of independent networks exchanging reachability information through the Border Gateway Protocol, better known as BGP. BGP makes global routing possible, but its original trust model did not include strong cryptographic verification of whether a network was actually allowed to announce a specific IP prefix. RPKI was developed to close part of that gap.
RPKI stands for Resource Public Key Infrastructure. It is a public key infrastructure designed specifically for Internet number resources, including IP address blocks and Autonomous System Numbers.
Unlike the Web PKI, which is mainly used to validate domain names and website identities, RPKI validates statements about Internet routing resources. In practical terms, it allows the holder of an IP prefix to create a signed authorization showing which ASN may originate that prefix in BGP.
This signed authorization is called a Route Origin Authorization, or ROA. Network operators can then use Route Origin Validation, or ROV, to compare BGP announcements against validated ROA data.
Without RPKI, a network may accidentally or deliberately announce IP space that belongs to another organization. If other networks accept that route, traffic can be redirected, dropped, degraded, or exposed to interception risks.
RPKI helps reduce this risk by giving resource holders a way to publish cryptographically verifiable routing intent. When a route is inconsistent with the published authorization, networks that perform Route Origin Validation can reject it or treat it with lower preference.
RPKI follows the allocation hierarchy of Internet number resources. IP addresses and ASNs are distributed through IANA, Regional Internet Registries, National Internet Registries, Local Internet Registries, and resource holders. RPKI certificates reflect that resource hierarchy.
A resource certificate confirms that a holder has been allocated or assigned specific IP resources. The certificate itself does not define routing policy. Instead, it allows the resource holder to create signed objects, especially ROAs, that describe which ASN is allowed to originate a prefix.
| RPKI Component | What It Does | Why It Matters |
|---|---|---|
| Resource certificate | Confirms control over IP address space or ASNs within the RPKI hierarchy | Provides the cryptographic foundation for signed routing statements |
| ROA | Authorizes a specific ASN to originate one or more IP prefixes | Lets networks verify whether a BGP origin announcement is legitimate |
| RPKI repository | Publishes certificates, ROAs, manifests, CRLs, and related objects | Makes routing authorization data available to relying-party validators |
| Relying-party validator | Fetches and validates RPKI data from repositories | Produces validated prefix-origin data for network operators |
| Router using ROV | Compares BGP routes against validated RPKI data | Can accept, reject, or de-preference routes based on validation state |
A ROA, or Route Origin Authorization, is a digitally signed object that states which Autonomous System is authorized to originate a particular IP prefix or group of prefixes.
A typical ROA includes three key elements: the IP prefix, the authorized origin ASN, and the maximum prefix length that may be announced. For example, a resource holder might authorize AS64496 to originate 203.0.113.0/24. If more specific announcements are allowed, the ROA may include a maximum length such as /25 or /26.
For IP resource holders, ROA accuracy is critical. A wrong origin ASN, an incorrect maximum length, or a forgotten ROA update after a network change can cause legitimate routes to be marked Invalid by networks that enforce RPKI validation.
Route Origin Validation is the process of checking a BGP announcement against validated RPKI data. The result normally falls into one of three states: Valid, Invalid, or NotFound.
| Validation State | Meaning | Typical Operational Response |
|---|---|---|
| Valid | The route matches a ROA: the origin ASN is authorized and the prefix length is permitted. | The route can be accepted according to the operator’s normal routing policy. |
| Invalid | A covering ROA exists, but the route does not match the authorized ASN or allowed prefix length. | Many operators reject the route or assign it a lower preference. |
| NotFound | No relevant ROA exists for the prefix. | The route is usually treated differently from Invalid; NotFound does not automatically mean malicious. |
The distinction between Invalid and NotFound is important. Invalid means there is a relevant authorization record and the route conflicts with it. NotFound simply means there is no matching ROA. Since RPKI deployment is still not universal, many routes may remain NotFound.
Routers usually do not perform all RPKI cryptographic validation themselves. Instead, relying-party software fetches RPKI objects from repositories, validates them, and produces a set of validated prefix-origin records.
Routers then receive this validated data through the RPKI-to-Router protocol. This design keeps heavy cryptographic processing away from routers while still allowing routing policy to use RPKI validation results.
RPKI repositories were historically fetched using rsync, but RRDP, the RPKI Repository Delta Protocol, was introduced to improve scaling. RRDP uses HTTPS-based snapshots and deltas, making it better suited to caching and large-scale distribution.
RPKI and Internet Routing Registries are both used in routing policy, but they are not the same. IRR data is widely used to build prefix filters and document routing intent, while RPKI adds cryptographic validation tied to Internet number resources.
| Area | IRR | RPKI |
|---|---|---|
| Main purpose | Publishes routing policy and route objects | Cryptographically authorizes route origin |
| Trust model | Depends on registry quality, maintainer controls, and operational discipline | Follows the resource certificate hierarchy |
| Common object | route / route6 object | ROA |
| Operational use | Prefix filter generation and routing policy documentation | Route Origin Validation |
| Best practice | Keep route objects accurate where required by peers or upstreams | Create accurate ROAs and monitor validation status |
In modern network operations, RPKI and IRR often coexist. Many upstreams and peers still use IRR data, while RPKI is increasingly expected for origin validation and routing security.
RPKI is especially useful against unauthorized route origination. If an attacker or misconfigured network announces a prefix from an ASN that is not authorized in the ROA, networks enforcing Route Origin Validation can identify the route as Invalid.
This is why RPKI is important for ISPs, cloud providers, hosting companies, enterprises, CDNs, DDoS protection networks, and organizations using multi-homed or Anycast infrastructure.
RPKI is powerful, but it is not a complete solution for all BGP security problems. Its most widely deployed function is origin validation. That means it checks whether the origin ASN is authorized to announce a prefix, not whether the full AS path is legitimate.
Because of this, RPKI by itself cannot fully prevent all route leaks, AS path manipulation, or policy violations. Other mechanisms and operational controls are still needed, including prefix filtering, peer review, monitoring, routing policy hygiene, and emerging technologies such as ASPA.
Most RPKI problems are operational rather than conceptual. The technology is designed to improve routing security, but incorrect records can create real reachability problems.
For businesses that lease IPv4 addresses, use BYOIP, migrate providers, or route prefixes through multiple networks, RPKI should be included in the change management process. A routing change should not be considered complete until ROAs, route objects, upstream filters, and monitoring have been checked.
Before creating or updating ROAs, IP resource holders should confirm the routing plan and the authorization chain. This is especially important when using leased IPv4 ranges, multiple upstreams, Anycast, or cloud and CDN providers.
RPKI is increasingly relevant in BYOIP projects. When a company brings its own IP prefix to a cloud, CDN, hosting, or DDoS protection provider, the provider may need to confirm that the prefix can be safely originated or used in its infrastructure.
A correct ROA can show which ASN is authorized to originate the prefix. If the ROA is missing, too restrictive, or points to the wrong ASN, the BYOIP onboarding process may fail or the route may be rejected by networks that enforce RPKI validation.
For leased IPv4 ranges, this becomes even more important. The organization using the range must ensure that the lease terms, authorization documents, registry data, route objects, ROAs, and provider-specific requirements all support the intended routing setup.
InterLIR helps businesses lease IPv4 ranges and prepare the IP-side configuration needed for routing, BYOIP, RPKI/ROA coordination, route objects, LOA documentation, WHOIS/RDAP updates, and verification steps where applicable.
Explore InterLIR BYOIP SolutionsRPKI has moved from a specialized routing security technology to a mainstream part of Internet operations. More networks are publishing ROAs, more operators are validating routes, and routing security initiatives increasingly treat RPKI as a baseline practice.
The next stage of routing security is likely to involve broader automation, better monitoring, cleaner operational tooling, and complementary technologies that address route leaks and AS path validation. ASPA, or Autonomous System Provider Authorization, is one emerging direction that aims to improve protection against route leaks and certain AS path problems.
RPKI does not make BGP perfectly secure, but it significantly improves one of BGP’s weakest points: the lack of cryptographic proof that an ASN is authorized to originate a prefix. For any organization that manages IP resources, RPKI is no longer optional knowledge. It is part of modern routing hygiene.
RPKI means Resource Public Key Infrastructure. It is a security framework for Internet number resources that allows IP prefix holders to publish cryptographically signed routing authorizations.
A ROA, or Route Origin Authorization, is a signed object that authorizes an Autonomous System to originate one or more IP prefixes.
Route Origin Validation is the process of checking a BGP route against validated RPKI data. The route is usually classified as Valid, Invalid, or NotFound.
No. RPKI helps prevent unauthorized origin announcements, but it does not validate the full AS path by itself. It should be combined with other routing security practices.
No. Invalid means a relevant ROA exists but the route does not match it. NotFound means no relevant ROA was found. Many operators treat Invalid routes much more strictly than NotFound routes.
Yes. A wrong origin ASN or maximum prefix length can make legitimate routes appear Invalid to networks that perform Route Origin Validation.
Yes. Many BYOIP workflows depend on correct routing authorization. A cloud, CDN, hosting, or network provider may require ROA updates before accepting or announcing a prefix.
RPKI is one of the clearest and most practical improvements to global Internet routing security. It gives IP resource holders a cryptographic way to state which ASN is authorized to originate a prefix and gives network operators a way to detect unauthorized or misconfigured announcements.
For ISPs, hosting providers, enterprises, cloud users, CDN deployments, DDoS protection setups, and organizations using leased IPv4 space, RPKI should be part of everyday routing operations. Correct ROAs, accurate route objects, careful provider coordination, and ongoing monitoring all help reduce avoidable routing risk.
RPKI does not solve every BGP security problem, but it addresses a fundamental weakness: verifying whether a route’s origin ASN is authorized. As Internet infrastructure becomes more complex and more security-sensitive, that verification is increasingly essential.
Evgeny Sevastyanov
Support Team Leader